Category Archives: Bits and pieces

I have owned one of these alarm systems for about 12 months now, and am finding myself increasingly frustrated with it.

To give a brief overview: The physical alarm sensors and control hub are an ODM product by Climax Technology in Taiwan (its original model number is MZ-1), this part of the package is quite well engineered. There are some tiny issues with the firmware on the control hub, but these could easily be fixed, provided that Yale ever asks them to. Here is the manual from another vendor who sells it, and we can see that it has an awful lot of handy features, but don’t get too excited, almost none of that is included in Yale’s cut of the product.

What really lets the package down is the App, which is the only way to interact with it. Despite two updates since I purchased, none of the issues I originally found/reported have been addressed, including the worst of them all: Excessive battery drain – which in the latest update, is now even worse.I strongly suspect it is developed by a different party, as in the case of other vendors, a smartphone app is not included.

I speak only from the point of view of having used the Android app, so cannot comment on the iOS edition, but can say that the two are functionally identical. There is little point in me detailing all the issues, as that has been done at length on the Google Play reviews.

Instead I would point any prospective buyers at what I think is the most significant pitfall of this product – that very attractive upfront promise: No monthly fees.

It’s true, you don’t pay anything per month, but quite frankly, I’d be happy to spare £5 a month for an alarm system that works and is issue free.

With every man and his dog wanting an app for something-or-other these days, app developers have become rather sought after, and therefore very expensive. Many work for app companies who also expect their own profits – Yale not being a company I would expect to have a large tech apparatus, It’s likely they are dependent on one or more such firms for their apps. This is bolstered by the observation of customer services using the term “Product Managers” instead of “Developers”, in reference to who issues are going to be passed on to.

That having been said, it’s not surprising, that Yale with only a bit of margin on successive retail sales to spend, has not got much to splash out on bug fixes, let alone adding all of the new features people are already asking for, ironically in many cases, features that the original package from Climax already supports.

My advice to Yale: A lot of people have expended significant effort physically installing one of these kits into their homes, and they’re clearly not happy. Get the issues fixed. You know what they are. If budgets are as tight as they appear to be, don’t even think about adding more features until what’s already there works properly.

Will we ever get a bug free system? In my case, likely not before my patience expires.

As a keen electronics hobbyist, I have designed some 50 or so PCBs to date. In each instance where a switching regulator is required, I’m typically reaching for one of two options: Where efficiency isn’t important – the trusty old LM2596, or when efficiency is required, I’ll be using a design from Linear Technology with synchronous regulation.

On my last two boards however, for reasons I am myself not entirely sure of (cost perhaps?) I used an MC34063. It’s been with us since the dinosaurs roamed the earth, and is unsurprisingly very primitive. It should have been designated to the dustbin of history, but thanks to the internet and the renascence of electronics in the hobbyist space, it has made an aggressive comeback, and for a simple reason: It’s dirt cheap.

My MC34063 was deployed on the PCB with the above circuit, lifted unchanged from the datasheet. It just so happened that I need 5V at 500mA max, from a 24-28V source. Perfect. What could possibly go wrong?

There is one very important thing we must consider when using this chip: It has absolutely no built-in thermal protection. The above circuit does have over-current protection, but this does not offer any protection from sustained short circuits. In many cases that isn’t a problem, but on this board it was.

From looking at the photo, we can see that there’s quite a bit of burned out stuff, making it a little difficult to piece together exactly what happened. Fortunately it all unfolded before my very eyes. The problem started with something that was nothing to do with the MC34063. See those two rectangular capacitors? One of them is particularly toasty indeed.

That capacitor is an AVX “TAJ” series 330uF 10V tantalum. It had developed an internal short circuit which caused the MC34063 to gradually heat up, eventually reaching a point where its internals melted, then becoming a short circuit its self.

Once the MC34063 became a short circuit, the 25V input voltage surged straight through to the 5V secondary, bear in mind that, that voltage is coming from a bank of large lead acid batteries.

Both pairs of batteries were protected with battery fuses, but those were 15A a piece, as this is a very high power setup, also on the PCB was a 30A maxi blade fuse. Surely one of those would have blown? Nope. When silicon melts to the point of becoming a short circuit, there is typically still a few ohms of resistance, which in this case was not enough to blow any fuses.

What happens next? BOOM! The short circuiting of the MC34063 unleashed 25V @ ~40A of potential at that shorted capacitor, which promptly exploded, ejecting a significant amount of fire and hot gasses in the process. In the picture you can clearly see the internals of it have become a melted blob of metal, transforming it into a very effective short circuit.

The last phase of destruction was the MC34063 its self burning to a cinder, as it is now the weakest part of the circuit, doing significant damage to the PCB in the process.

It’s at this point that you start recounting exactly what is attached to the 5V rail, because it is likely now toast. The tantalum capacitor must have briefly been open circuit because all 10 ICs fed from the 5V rail were completely destroyed, as well as all of the chips on a second PCB also fed from this regulator, requiring hours of rework to replace them all. Just as well there was nothing expensive connected to it.

Lessons learned

When using an MC34063, or anything else without built-in protection – short out its output for a few minutes and see what happens. If you find yourself staring at a mess like the above, sort it out. Don’t ever assume it won’t happen.

In cases like this where the system is fed from batteries, protected by large fuses – add a second smaller fuse i.e. 500mA before small circuits like this.

In my case I have ditched the MC34063 and replaced with with a Wurth 173010542 7805 switching drop in replacement. It gets me a 5V output with 90% efficiency, over-current and over-temperature protection. Not cheap, but when you are talking about stuff that could start a fire…

One of the biggest advantage of these sensors over I2C sensors, is that you can mount them almost anywhere. That having been said, I’ve never quite managed to come up with an elegant solution, particularly when attaching to a heatsink (for cooling applications).

Typically I find myself drilling 5mm holes in pieces of aluminum, then stuffing the sensor in that hole, or using small metal clips, which aren’t always reliable.

One solution I looked at using the aluminum heatsink clips from vintage TO-92 transistors i.e. 2N3403 and 2N4425. These are absolutely perfect but unfortunately the clips aren’t purchasable without the transistor. Sadly these parts are no longer in production and becoming increasingly rare. Destroying them to scavenge thier heatsink clips is a little senseless.

Some old TO-92 transistors came with rather nice heatsink clips

Without wanting risk the wrath of the world’s remaining Ham Radio enthusiasts… What other options are there?

I recently had the idea of using ‘Yellow’ (6mm) ring terminals with 3.2mm holes:

Perfect! All I had to do was remove the plastic band, cut the crimp and open it a little, add a little heatsink compound (to be pedantic), then gently crimp the sensor in place with pliers.

This has turned out to be a robust and inexpensive solution, as those terminals are made of copper, they conduct heat very effectively. I wish I had thought of this a decade ago.

Putting a little heatshrink over the final assembly makes for a good finishing touch.

I recently found myself needing a simple circuit which could detect a low battery condition of a sealed lead acid setup, but also with a hysteresis function i.e. don’t re-enable the output until the battery voltage rises to a certain threshold.

The internet is practically exploding with low voltage detection circuits but many are quite complicated with exotic ICs and other fussy details.

Geez man. All it takes is a single comparator and a two resistors (three for hysteresis).

Okay so my circuit has a little more, that is because making something that is actually useful requires a bit of extra stuff.

With the above component values it will cut out at 11.2V and re-activate at 12V, which is good for most sealed lead acid batteries. There is also second comparator – this is purely acting as a logic inverter, because I needed a negative logic output. If you don’t need it, leave it out. One of the cheapest and most available comparators – the LM393 has two units anyway, so this works out well.

The main guts of the circuit is R1, R2, R3 & U1A. R4 & R5 are a simple voltage divider to get the input voltage inside of the 5V operating range of the comparator. R6, R7 R8 & R9 should be left as is.

The math

Because I’m using fixed resistors, I’ve worked backwards, from a ‘components first’ approach, simply working out the formula for the circuit then plugging a variety of E24 resistor values in until I got what I wanted. I find this easier than working from a ‘results first’ approach i.e. starting with the desired voltages, to then being told by your workings you need a whole bunch of resistor values that don’t exist!

VCC (Constant – 5.0): The output of the 78L05

VL (Constant – 0.1): The voltage the LM393’s output transistor can pull down to. Yours may vary. The expression containing this term can be omitted if you are happy to call it zero.

If you wanted to adjust my thresholds, assuming a 12V setup, focus on R1, R2 & R3. Leave R4/R5 as is. If changing to a different voltage / type of battery, then R4/R5 need to be adjusted to bring the voltage at pin 2 within a 2-3 volt range.

If you happen to be producing boards which use Xilinx’s long discontinued classic 5V CPLDs which are purchased as scrap from the far east (which I hope you are not); You may have found that getting quality samples is not so straight forward.

The situation is not so bad for smaller devices, but for the larger ones, it’s tough. One of my projects (8OD) is stuck with the XC95216. Being a 100% 5V design with a swag of 5V bidirectional I/O pins, converting to a modern 3.3V device is completely out of the question.

Without the spare time or willingness to adapt the design to an inevitably ridiculously expensive alternative; I have been dependent on purchasing recycled chips from the far east (typically sold on eBay or AliExpress).

In terms of what arrives in the post, it’s a mixed bag. I’ve had perfect genuinely new batches, and other batches which are in poor physical condition (i.e. scratched, pins bent / missing).

To frustrate matters further, the best (absolutely perfect) batch I received then prompted me to make a second purchase from that same seller. But upon arrival of that parcel, I quickly see that it was sent from a different address, different packaging. Surprise surprise… Some were clearly scrap, and most of them were dead.

Here is a sample of the kinds of errors I find when I assemble boards when dead chips:

Completely sodding’ dead

When dealing with properly dead chips we sometimes see an error like this from iMPACT:

This is quite a curious error, as I have had chips, both from the same batch, identical markings etc where one identifies OK, but the other has a bit or two twiddled (i.e. version as shown here).

Avoiding wasting your time with dead chips

I have spent a lot of hours checking soldering, voltages, JTAG signals on my scope etc, all to no avail. I do not know what is involved in recycling these chips but whatever the process, a crapload of them don’t survive it.

Quite how so many end up dead leaves one to ponder, because from my own experiences, they are pretty robust. I have some XC95216’s that have been carelessly soldered/de-soldered 5 times or so by myself, zapped with large electrostatic discharges and even those survived! Perhaps these chips are typically removed from equipment with a propensity for suffering lightning strikes? Are they de-soldered with a flame thrower?

A quick google image search for “Guiyu” gives us a hint of what this business is like. My own guess it that they are killed with excessive temperatures during de-soldering.

Rule of thumb seems to be, if it can be successfully programmed with iMPACT, it’ll work. I have not yet found one that then went on to fail the burn-in test.

And on that note, I took the time to build a simple rig to weed out the duds:

It’s a blank PCB with power, decoupling and JTAG components fitted. I then use a small clamp to press the CPLD onto its footprint on the board, with a block of polypropylene and a layer of adhesive felt to ensure even pressure. To keep it extra high-tech – I’ve also got a pad of post-it notes underneath.

As much as this may not appear to be a reliable mechanism, it most certainly has proven to be. I happened to have preserved a tray of known-good / known-bad chips and when I tested them with this, the good chips – even those weren’t very well cleaned up (i.e. still some solder on them) verified perfectly in this rig.

Last but not least:

If you end up with a bunch of dead chips, use buyer protection to get your money back.

This is a lot easier on AliExpress than eBay

At the very least we may be able to entice recyclers to be a little more cautious.

A little while back I purchased Xeltek’s SuperPro 610P Universal programmer.

It has the odd quirk, but overall it’s done the job. There is one thing however that has always irritated me about this product – This damn thing:

Every time you start their application, or change device, you are prompted with this absolutely f–king useless dialogue, having to dismiss it every time, worse still, it has no OK or Close button. Even more annoying, there is no option to disable the displaying of it in the first place.

Hell, even if there was any useful information on it, that doesn’t mean I want to see it every single time I use the SuperPro!!!

I contacted Xeltek’s customer support about that, they had me go to the trouble of sending my invoice and serial number to them to prove that I in fact had actually paid them a sum of money, and then promptly did absolutely nothing about it, other than tell me that it could not be disabled.

Despite how simple it would be to even change the software to provide an option to disable it, repeated requests to do so were ignored.

Righty. Time to do something about this. 30 minutes behind IDA later we’re onto it. Quickly I can see it is written on the very same tech I cut my own teeth on: Microsoft Foundation Classes (MFC).

Given this, it’s pretty likely that we’ll see a call to _AfxPostInitDialog() at some point during the displaying of a dialog.

Let’s put a breakpoint in there, and bingo! Hop back up the stack a little, and there I find the offending instruction:

The highlighted instruction is in code written by Xeltek, and calls a function which displays that dialogue both when the application starts and when the device type is changed, but not when the “Dev. Info” button is pressed (in the unlikely event I actually want to see that bloody useless dialogue).

So all that needs to be done is remove it.

In the current version at the time of writing (the version dated 07/21/2016) that instruction (opcode 0xE8) and its 4 byte operand is physically located at 0x3373F in SP6100.exe. Replace it with 5 NOP (0x90) instructions, and we’re good.

Now that dialogue is only displayed when the “Dev. Info” button is clicked, which is all I ever wanted to begin with.

Recently while staying with the folks in New Zealand, I read that (their) consumer focused ISP – 2Degrees (Formerly Snap Internet) is actually offering IPv6 connectivity to customers, no strings attached!

Although not news, this is a pretty significant development for the New Zealand Internet Service Provider market, with almost every other provider very much heads in the sand on the matter.

IPv6 Adoption in New Zealand (Courtesy Google): Not impressive

Being a nation with a small population and in possession of a fairly reasonable stock of IPv4 addresses, it’s not surprising the countries services providers have been procrastinating.

But anyway, the important question: Does it actually work?

A Cisco 877 I left here a number of years ago ought to be up to the task.

The last one is a bit of an odd command. The expression “::1000:0:0:0:1/64” sets the last 80 bits of the interface’s address, with the first 48 bits provided by the ISP. If you wanted to allocate another subnet in your network, you could change the “1000” to “1001” for example.

The subnet is /64 as always because this configuration will end up using EUI-64 for address assignment.

I prefer to use stateless DHCPv6 for the configuration of IPv6 DNS servers (a fat lot of good for Android devices) but with RDNSS support almost non existent across mainstream platforms, we’ll have to live with it.

Here we’ll create a DHCPv6 pool just for handing out Snap’s two IPv6 DNS servers:

Address configuration is done by ICMP in this configuration, so we’ve got to set the other-config-flag to let clients know to get the DNS servers via DHCP.

At this stage, anything connected to the network should now be online with IPv6. Windows 7+ clients do not need any additional configuration, the same should be true for most Linux distributions.

Running the “ipconfig /all” command on a Windows 7 machine confirms it’s all working nicely:

Here we can see a full IPv6 address on this client which is:

Snap’s prefix (2406:e001) plus our customer prefix (censored) plus the prefix of the local subnet I configured earler (0x1000) and finally this machine’s EUI-64, all together, making a rather long string of digits.

Now the ultimate test: Ask Mr Google that question we’ve all asked at some point:

And there it is. Pretty impressive to be seeing that from New Zealand!

Hang on, we’re not done yet

I shouldn’t have to explain, that there’s no such thing as private IP addresses in IPv6. Everything is public.

So we should put some firewall rules in place to keep those script kiddies out of the home network. I’ve implemented this using reflexiveACLs

The above gives us back more or less the level of security we took for granted with NAT IPv4 address sharing.

Getting it working on Android devices

Because Google still have their head up their arses when it comes to the matter of DHCPv6 support, and Cisco not having implemented RDNSS in IOS until v15.4 (the last version for Cisco 877 was 15.1) – the easiest option to make this work is to configure IPv4 DNS servers (configured by DHCPv4) which will give out AAAA records in DNS responses.

Many ISPs (Including Snap’s) don’t. So you’ll have to find some others.

It was only a matter of time before I was going to own one of these. Having used the 16700A on the job more than 10 years ago, it was one piece of kit I never forgot the enjoyment of using.

Agilent 16702B in action

It also was inevitable that it’d be an 1670X that I’d go for, not for cost reasons, but to some extent. The affordable 16900’s are clapped out old Pentium III based units that won’t go to anything newer than the ancient Windows XP. This HP-UX based unit on the other hand, is timeless.

One of the first jobs: Replace that flaky, slow old SCSI hard disk with something a bit more modern. As no one has demonstrated any kind of practical (and cost effective) SSD solution for these units yet, I’m not keen to go splashing out on an expensive SCSI to SATA adapter which’ll be unlikely to work. The best hard disk option for repairers appears to be using SCA Ultra320 hard disks from old servers. They’re inexpensive, good performing, large and plentiful.

But first there is an annoying problem: Mine being one with the built in CD-ROM, the hard disk is mounted the opposite way to CD-ROM less units, and the offset of the connector with adapter on the incumbent disk arrangement makes it almost impossible to fit the SCA disk with adapter without slashing up the metalwork, or rebuilding the large SCSI ribbon cable, so I’ve had to make up this little “offsetter” cable to deal with it easily.

And here it is back in the LA

During the re-install I found that the installer just couldn’t seem to cope with the 146GB drive I had installed. I don’t think it’s completely impossible but the LVM configurator is hard coded to always use the whole drive, then complain that it’s too large for the bootloader to boot from. In the end I copped out and installed it on another 9.1GB disk and DD’d it over to my new drive. The bootloader doesn’t mind massive drives, just so long as the root VG doesn’t span its entirety.

I’m not sure where the line between ‘works’ and ‘doesn’t work’ is in terms of disk size, but can confirm that a 73GB drive works, whereas 146GB doesn’t. Maybe 128GB is the maximum?

To transfer the smaller partition set onto the large drive was easy. I simply attached both drives to the analyser at once, boot into the recovery shell from the install CD-ROM and run these commands:

# loadfile dd
# dd if=/dev/dsk/c0t5d0 of=/dev/dsk/c0t6d0 bs=1048576

That took about 5 hours. Note here that SCSI ID 5 is the old 9.1 GB disk I just installed the OS on, and ID 6 is the newer 146GB drive. This had the disadvantage that I’ve wasted most of the drive, but it’s not like it’s ever going to be needed, and only using less than 10% of the drive has considerable performance advantages as the heads barely ever have to move a millimeter to boot the LA.

The upgrade was definitely worth it. With the old drive radiating enough heat to cook a steak, and producing the sound of a hundred maracas in a washing machine, this new drive is cool quiet and a lot faster. It’s now more responsive, and also boots about 15 seconds faster than before. It’s just a shame the rest of it makes a noise level somewhere between a hovercraft and a jet engine.

While I had the unit open – I took the opportunity to photograph two rather sought after but difficult to obtain items:

RARE: HP/Agilent 5063-9262 128MB memory upgrade

This is one tremendously exotic bit of RAM. It is similar to the memory found in old HP-UX workstations which had between one and four 64MB memory modules, but this particular one is a completely logic analyser specific pair of 64MB modules on a single 128MB PCB, despite the system reporting it as two 64MB upgrades.

5063-9262 Underside

Sadly these memory upgrades are only feasibly obtainable with a unit that was sold with them. Keysight apparently have some stock of the above upgrade, but with shipping and administrative charge, it’s cheaper to just buy a used Option 003 analyser, pinch its ram and throw it away.

UNOBTAINABLE: HP/Agilent 16600-66518 Video memory upgrade

Even more difficult to come by is the video memory upgrade, which increases maximum resolution from 1280×1024 to 1600×1200. So far as I can tell this upgrade is effectively useless as it will only output 1600×1200 @ 75Hz which no LCD monitor will accept, as 60Hz is the maximum refresh rate for all LCD panels, unless the monitor happens to have some kind of intermediate buffering mechanism which I am unaware of any examples of.

Interestingly though there is a “user defined” display mode which I hoped would allow entry of a modeline or EDID but thus far I have not found any interface to configure it.

16600-66518 Underside

The best way to use this Analyser appears to be the same way that I did on the job all those years ago: Remote X11

I was a little disappointed to find that after logging via Telnet using the “logic 192.168.0.x:0.0” format, that nothing happened? I don’t remember remote X11 being a difficult thing to use on these units. After trying all sorts of X servers, nothing worked at all!

In the end, I followed this guide, got a shell on it, reset the password for the secret “hplogicz” user.

(Quoted from http://www.perdrix.co.uk/)

As the system is booting, use the Esc key to interrupt the boot process, then issue the command BO PRI ISL. When it asks you if you wish to interact with the boot process, respond with a “y” and press enter, then at the ISL> prompt, issue the command:

hpux -is

to get into single user mode.

Once you have a command prompt, you can use passwd root to change the root password.

In my case I wasn’t interested so much in resetting the root users password (but what the hey, why not) – but instead the hplogicz user which is already in place for this kind of use.

# passwd hplogicz

– and then reboot the LA, logged in via telnet with this account and started the logic analyser application manually with the following commands:

So it appears that on mine, the program that normally is supposed to start the remote session (/usr/sprockets/bin/sessionWrapper) wasn’t working, but can be manually fudged around by starting vp the old fashioned way.